Thursday, December 29, 2011

As one of Stratfor's Free Intelligence Report subscribers, I received an e-mail message from you expressing your "deep regret (that) an unauthorized party illegally obtained and disclosed personally identifiable information and related credit card data of some of our paying subscribers." Your email went on to request feedback from me and your other subscribers about "this situation". Here's my response.

You clearly want to restore confidence among your customers and potential customers after a breach occurs. Your email was unsuccessful in doing that for two main reasons:

You failed to address why your customer credit card numbers weren't encrypted. This is probably the most serious aspect of your breach.

You failed to disclose how the breach occurred. Anonymous is known for discovering simple website vulnerabilities and exploiting them. I'm guessing that that was the case for you, which means that there's an issue with your own risk assessment capabilities.

Instead of addressing these two critical challenges to your competence as a web-based business and provider of intelligence analysis, you've chosen to offer me one year of consumer identity protection services and pledged to continue sending me your free Security and Geopolitical weekly reports (which I've been unable to get you to stop sending me for well over a year). I hope that you can now see how ludicrous your attempt to restore my confidence is and instead will make a more sincere effort to 1) acknowledge what you did wrong, 2) apologize for it, and 3) tell me what you're going to do differently so that it won't happen again.

Chapter 14: Conducting Operations in the Cyber-Space-Time Continuum
- Anarchist Clusters: Anonymous, LulzSec, and the Anti-Security Movement
- Social Networks: The Geopolitical Strategy of Russian Investment in Social Media
- Globalization: How Huawei Bypassed U.S. Monitoring by Partnering with Symantec

Wednesday, December 21, 2011

The claim that I'm referring to was reported by Associated Press to a variety of news outlets and essentially stated that "as few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts."

My view is that this claim is bullshit. Here's why:

ONE. It's self-serving. The cybersecurity analysts and experts quoted in the article from Mandiant and Dell SecureWorks have 1) a vested interest in painting China as the bad guy since the bulk of their marketing is APT-centric (APT being a code word for China) and 2) SecureWorks has a less than stellar track record in analysis (Stuxnet and Duqu 2011) and attribution (Kyrgyrzstan 2009) - they've made highly questionable claims in both cases.

TWO. The 12 hacker groups have not been named which prevents independent analysis being performed by individuals who don't have a vested interest in the outcome.

THREE. There's been no proven reliable way to assign attribution. Digital DNA is a marketing ploy, not a fact.

FOUR. It conflicts with our own research on State and non-State actors involved in cyber espionage.

FIVE. It conflicts with our confidential work in incident response and protection for Taia Global clients including members of the Defense Industrial Base.

SIX. It lacks rigor. For example, I highly doubt that either Mandiant or Dell SecureWorks applied negative analysis to their findings before making their claims (i.e., looked for reasons why their findings could be wrong - a standard analytic technique).

The companies behind this claim should make their case publicly and present their evidence for peer review or not make it at all. This type of sensationalist reporting, besides trolling for government contracts, feeds anti-China paranoia while minimizing the role of many other State actors engaging in the same activity as China. Senators and Congressmen unfortunately don't have enough knowledge about cybersecurity to discern truth from fiction so what starts off as highly questionable analysis soon becomes terrible U.S. government policies; especially when it is advocating for permission for civilian U.S. companies to counterattack a specific nation's network. There has never been a worse idea in the history of bad ideas than that one.

Monday, December 19, 2011

A November 17, 2011 article in Channelnomics states that "Symantec may have ended its experiment as a hardware manufacturer by selling its stake in its joint venture with Huawei Technologies, but Big Yellow remains committed to developing appliance-based backup solutions and will continue to contract with Huawei and Huawei Symantec as a hardware supplier (emphasis added). In a letter to partners, North America channel chief Randy Cochran says the contract manufacturing relationship between Symantec and Huawei will remain unaffected, as will Symantec’s commitment to marketing and developing appliance-based solutions."

So one of the world's largest security companies continues to partner with the very Chinese company that most of Symantec's customers are buying their systems to protect against. That displays a level of hypocrisy that I have no tolerance for.

Even worse, as General James Cartwright and others in the U.S. government rail against China, the Department of Defense, Boeing, Lockheed Martin and CSC are all buying Huawei Symantec hardware according to one Huawei Symantec channel partner that I spoke with privately. If Rep. Rogers makes good on his promise to hold hearings on Huawei and ZTE, I hope that he investigates who in the U.S. government and the Defense Industrial Base are buying Huawei Symantec products, which are all made by Huawei in China.

Can the U.S. legally engage in covert cyber counter strikes as a form of active defense against hostile actions by non-state actors in Russia, China or elsewhere? That's one of the forward-looking talks being given at Suits and Spooks DC by Professor Catherine Lotrionte of Georgetown University.

Are tamper-proof chips really tamper proof? Can firmware be extracted from the locked chips such as those used on the captured RQ-170? Travis Goodspeed will show how it can be done on the cheap.

Can a privately funded spy satellite system be used to secure evidence targeting criminal behavior by governments or their officials? Thanks to the work of the Enough Project organization, we know the answer to that question is yes. Jonathan Huston will explain how they did it.

And that's just 3 of our talks. In addition to Catherine, Travis, and Jonathan, Suits and Spooks attendees will interact with:

Every attendee will have an opportunity to ask questions and interact with the speakers in an elegant setting overlooking the Potomac river and the Capital. The entire day will be focused on brain-storming new security solutions that we hope will give birth to a revolution in security affairs. Real-time analysis on a Palantir workspace will be flashed onto a screen behind the speakers and a final report will be issued afterwards to members of Congress and interested agencies.

Pricing includes breakfast, lunch, and a wine reception afterwards:

Students and academics: $195

Gov't employees: $295

Early bird registration: $395

Standard registration: $495

The early bird registration ends January 6, 2012 and we are capping attendance at no more than 100 individuals, including speakers so reserve your seat today.

Sunday, December 18, 2011

The alleged downing of an RQ-170 by Iran has raised a lot of public attention to existing problems in how the Air Force is managing its Unmanned Aerial Systems. As I reported earlier, an unknown person with FOUO access uploaded an Air Force report to the Public Intelligence website that detailed some of those vulnerabilities one day after Iran announced its capture. On Saturday another FOUO document appeared on PublicIntelligence.net regarding Afghan drone operations by the US Marine Corps. The Government Accountability Office (GAO) has produced quite a few reports that delineate numerous problems with Unmanned Aerial Systems over the past few years. Some as far back as 2008. Some of the problems identified back then have yet to be fixed, such as the lack of a redundant satellite relay site (GAO report 10-331).

The above graphic illustrates the command and control framework that's in place for Predator, Reaper and Global Hawk UAS missions that support contingency operations in Iraq and Afghanistan. A ground control station in the U.S. takes control of the aircraft. A satellite relay site at a fixed location outside of CONUS relays signals from the ground control station to the UAS. Any disruptions at the satellite relay site would impair the operation of the aircraft. While the Air Force has told that GAO that they're working on implementing a redundant system to solve this problem, as of March, 2010 they "had not conducted a detailed analysis of these options to determine the extent to which they would provide for the continuity of UAS operations, or established a specific milestone to formalize a plan that could be implemented quickly in the event of a disruption." Furthermore, the Air Force didn't anticipate bringing a redundant Satellite system online until fiscal year 2012 at the earliest.

Two other detailed examinations of vulnerabilities present in the Air Force's UAS operations are in the following GAO reports (FOUO):

The above table of U.S. UAS Producers and Developers comes from the Department of Commerce' Flight Plan 2011 (.pdf). Of the 11 companies listed, the following have acknowledged that they have been the victim of cyber attacks: Boeing, Lockheed Martin, Northrup Grumman, and Raytheon. Most likely all 11 of these companies as members of the Defense Industrial Base would fall into that category, but the above four have gone publicly on record that they are constantly defending against malicious network attacks. However this reflects only a tiny portion of the attack surface for an adversary who's looking to acquire intelligence on operations or R&D. Globalization has extended an adversary's ability to compromise UAS company networks by attacking affiliates or sub-contractors. For example, Japan's UAV association membership includes Mistsubishi Heavy and Kawasaki Heavy, both of whom were hit with simultaneous cyber attacks last summer and both of whom regularly engage with U.S. defense contractors on various projects such as Boeing.

Europe has 153 UAS producers and developers, some of whom are giant companies like EADS and BAE. BAE was implicated in the massive theft of data from the F-35 Joint Strike Fighter program in 2009 when it was believed that access to the data was gained by breaching BAE's network. It's impossible to know how many of those 153 companies have suffered attacks against their network but considering the value of this technology and the rapidly growing demand for drone aircraft world-wide, it would be naive to believe that any of their networks could withstand a targeted attack.

The most important outcome from Iran's capture of the RQ-170 should be an indepth vulnerability assessment of both U.S. intellectual property and operational vulnerabilities of our Unmanned Aerial System aircraft. This must include an international analysis of partnering companies like Boeing - Mitsubishi, Lockheed Martin-BAE, Insitu-ADASI, and many others. The worst outcome is blind denial that Iran or other U.S. adversaries is capable of compromising U.S. drone operations.

Thursday, December 15, 2011

Here's some disconcerting news from an Israeli news source. FARS has reported that the government of Iran possesses not one but 3 U.S. drones and 4 Israeli drones - all of which will be put on display and open to foreign ambassadors for inspection. The same article reports that an Iranian government official has traveled to Moscow to discuss Russia's request to examine the RQ-170. If Russia gets permission, China's next.

FARS has also been busy running its own Information Operations campaign mocking the U.S. and President Obama for asking Iran to return the drone. I'm not sure who in the White House thought that was a good idea but he needs to be fired.

Wednesday, December 14, 2011

Interesting timing. At some point after Iran captured a sophisticated RQ-170 RPA (Remotely Piloted Aircraft - UAV is a misnomer), the Public Intelligence website received an FOUO report entitled "Operating Next-Generation Remotely Piloted Aircraft for Irregular Warfare" published in April 2011 by the U.S. Air Force Scientific Advisory Board. One of the many issues that the panel was asked to investigate was electronic threats. Its related finding - "Limited communications systems result in communications latency, link vulnerabilities, and lost-link events."

Section 2.4.3 "Threat to Communication Links" expands on the state of vulnerabilities present for RPAs:

Jamming of commercial satellite communications (SATCOM) links is a widely available technology. It can provide an effective tool for adversaries against data links or as a way for command and control (C2) denial.

Operational needs may require the use of unencrypted data links to provide broadcast services to ground troops without security clearances. Eavesdropping on these links is a known exploit that is available to adversaries for extremely low cost.

Spoofing or hijacking links can lead to damaging missions, or even to platform loss.

Section 2.4.4 "Threat to Position, Navigation, and Guidance":

Small, simple GPS noise jammers can be easily constructed and employed by an unsophisticated adversary and would be effective over a limited RPA operating area.

GPS repeaters are also available for corrupting navigation capabilities of RPAs.

Cyber threats represent a major challenge for future RPA operations. Cyber attacks can affect both on-board and ground systems, and exploits may range from asymmetric CNO attacks to highly sophisticated electronic systems and software attacks.

These are just a few of the key findings that impact the mission of RPAs. With this report as background, the capture of the RQ-170 by Iranian forces needs to be evaluated fairly and not dismissed as some kind of Iranian scam for reasons that have more to do with embarrassment than a rational assessment of the facts. Remotely Piloted Aircraft are the future of Air combat, not just for the U.S. but for every military force in the world. Theft of this technology via cyber attacks against the companies doing R&D and manufacture of the aircraft is ongoing. Whether or not the Iranians got lucky or have acquired the ability to attack the C2 of the drone in question, there's obviously some serious errors in judgment being made at very high levels and secrecy about it is only serving the ones guilty of making those bad decisions.

UPDATE (1453 PST 14DEC11): I just confirmed with the Public Intelligence website that the Air Force document was provided to their site about one week ago which would make it the day after the news on the downed RQ-170 was announced. Clearly someone with FOUO access wanted this information to be made public to inform the controversy surrounding the incident.

Monday, December 12, 2011

I was going to name this post 'My Free 'Expert' Advice ..." but we all know that free advice is ignored so once I hit the 'publish' key on this blog, I'll send an invoice to 10 Downing Street requesting payment. I'll make sure that the invoice is in 7 figures since they're obviously quite willing to throw extravagant amounts of money at companies with the word "expert" in their marketing materials (hence my use of the word "expert" in the title).

The reality is that there are no experts in this field. I wrote a well-received book on the subject, have spoken at dozens of conferences, had papers published, regularly consult for U.S. and foreign government agencies, and have engaged in incident response for very large corporations and I don't call myself an expert. In fact, authentic experts never bestow themselves with that title. If its used at all, it's given to them by others who have experienced their work first-hand. I know many people who I would call experts in different fields but none in the area of cyber warfare. The field is too new, too undefined and we're all still finding our way.

The British government appears to have bought into the marketing materials of prime contractors like Lockheed Martin, BAE, Ratheon, General Dynamics, RSA, McAfee, Mantech and who knows who else. Big mistake. They not only cannot protect the British government, they've been unable to protect the U.S. government. The director of the NSA along with the director of DARPA have both admitted that the current security framework we use is broken. Who implements that framework? Prime contractors like the ones I mentioned above and their sub-contractors with some help by government employees.

So here's my "expensive expert advise" for whoever is in charge of the British government's purse strings:

You can't keep China, Russia, France, or any other State out of your network. They're already there and they aren't leaving.

You can't secure what you don't own so if you want to secure your power grid, buy it back from the Chinese company that owns it.

If anyone tells you that they can do 1 or 2 above, grab your checkbook and run the other way.

While you can't keep bad guys out, you can raise the cost to mount a successful attack. Or - you don't have to out run the bear, you just have to out-run the other countries who are being chased by that bear (or dragon).

While you can't keep a dedicated adversary out of your network, you can keep your data from leaving. That's in large part where you need to focus your resources and where you'll get the best return-on-investment.

You have serious supply chain problems and need to start testing firmware updates for all those servers that you own which were made in China for backdoors.

You have serious software issues and need to investigate any code written by Russian firms for backdoors.

Cancel your contracts with Chinese telecommunications companies if they are providing products that would give them access to sensitive data.

Now that General Cartwright is free from the restrictions that he had to operate under as an employee of the U.S. government, his remarks regarding China are even more inflammatory than they were when he held the position of Vice Chairman, Joint Chiefs of Staff, at least according to this article in The Guardian.

"Right now we have the worst of worlds," said Cartwright. "If you want to attack me you can do it all you want, because I can't do anything about it. It's risk free, and you're willing to take almost any risk to come after me."
The US, he said, "needs to say, 'if you come after me, I'm going to find you, I'm going to do something about it.' It will be proportional, but I'm going to do something ... and if you're hiding in a third country, I'm going to tell that country you're there, if they don't stop you from doing it, I'm going to come and get you."

General Cartwright's opinion that the best cyber defense is a good offense is a throwback to his honorable career as a Marine waging war in on a physical battlefield. Unfortunately, that strategy doesn't work in cyberspace. It's ironic that Dell Secureworks has come out on Cartwright's side in this debate since Dell is heavily invested in its operations in China. Secureworks' engineers would make a better use of their time by creating a way to test Dell servers for backdoors than trying to get legal permission to attack Chinese hacker crews that they suspect are behind espionage attacks against U.S. corporations.

Calls to action are good and appropriate for a problem as serious as IP theft has become and the frustration at the lack of effectiveness of what we're currently doing is certainly understandable. The problem is that the outlet for that frustration is being directed in a harmful, not helpful, way. Giving the green light to U.S. industries to "go after" groups that they perceive as bad actors is akin to vigilantism and could easily trigger a war that spills over into actual bombs and bullets instead of bits and bytes. Further, any Information Security outfit that believes that the problem is solely China doesn't have a clue about the nature of the environment that they're supposed to be operating in. Besides Russia and North Korea, U.S. allies like France, Germany, and Israel are benefiting from acts of cyber espionage against the U.S. too and if they're smart about it (and they are), they'll leave evidence which implicates China. General Cartwright's calls for offensive action simply plays into the hands of those States' strategies of misdirection and obfuscation.

A smarter and more effective alternative is to switch from network-centric to data-centric protective mechanisms. If you want to keep your valuable data from being stolen, you first have to start monitoring it. Threatening China or any other country is just wasting valuable time and making the person doing the threatening look ineffective.

Saturday, December 10, 2011

Evidently there is nothing that has remained unscathed by the power of instantaneous communications via social networks like Twitter and Facebook. The protest against perceived fraud in the Russian elections is the largest seen in Russia since the fall of the Soviet Union. The protest against the 1% by the Occupy movement hasn't been seen since the anti-war protests of the 60's. The State Department is still struggling with how to cope with the exposure of hundreds of thousands of classified diplomatic cables published on Wikileaks a year ago.

A clue to how the Russian government, the U.S. State Dept. and pretty much every other related agency and organization needs to re-think their strategy thanks to the power of social networks can be found in two podcasts by Sons of Anarchy creator and show runner Kurt Sutter. Sutter is clearly passionate about his show, and deservedly so. I think it's one of the best dramas on television and both my wife and I are fans. But passion isn't enough in today's wired world. Sutter has to factor in union production requirements, network schedules, and something which didn't exist in the first few seasons - instantaneous critical reviews. Unfortunately, he hadn't counted on the power of that last factor in this latest season. As I watched Kurt Sutter's podcasts (WTF Sutter Finale parts 1 and 2) I sympathized with his frustration as he talked about learning the hard way that crafting a great season wasn't enough; that his entire season would now be judged in the world of instantaneous communications solely upon the strength of his last show.

Lots of powerful figures besides show runners have underestimated the power of social networks. The ability for huge numbers of individuals to observe, communicate, and act in real-time is throwing traditional strategies of law enforcement agencies and battlefield commanders into obsolescence. We should be open to learning new strategies wherever they may be found - including the musings of the creator of a show about an outlaw motorcycle club.

As a side note, if anyone has a contact for Kurt Sutter, I think he'd make a great addition to the Suits and Spooks conference. Consider this your invitation, Mr. Sutter.

My goal for each Suits and Spooks anti-conference is to tackle a hard challenge with a unique approach. In this case, we're going to use Palantir to navigate and intuite patterns in unstructured human speech instead of unstructured data to find hidden connections and spark creative solutions.

Palantir was created to perform information analysis. We used it 3 1/2 years ago for our open source intelligence experiment called Project Grey Goose. In February, 2012 we're going to reinvent its use by moving from finding "fragments of data which tell a larger story" to finding fragments of ideas presented by speakers and commented upon by attendees. I'm particularly excited about the input from attendees because unlike the standard conference where attendees have to que up before one or two microphones, at SnS every attendee will have a microphone at their seat and will be able to challenge speakers during their 30 minute presentations. Additionally, attendees will be able to send text messages to the Palantir engineer for ingestion into the application. Twitter will be a third source of input by ingesting everything tweeted to @suitsandspooks on the day of the event. We will not only be capturing the remarkable information provided by our speakers but the ideas and feedback that it inspires on the part of our attendees.

Finally, all of those inputs will be linked and analyzed in real time by projecting the Palantir workspace onto a screen behind the speaker podium which will multiply the effect of idea generation as new linkages and conceptual ideas are displayed, added to, spoken about, analyzed and re-displayed repeatedly throughout the day. After the event is over, we'll publish a report containing our findings along with screen shots of the Palantir workspace that will portray how the analysis was done.

10 Days Left For The Early Bird DiscountRegister today to be a part of this unique process and interact with the following remarkable individuals who'll be speaking:

Ben Milne (founder of Dwolla)

Jonathon Huston (Satellite Sentinel Project)

John Robb (Brave New War)

Janina Gavankar (Posterous Spaces for Actors)

Jodee Rich (founder of PeopleBrowsr)

Anup Ghosh (founder of Invincea)

Daniel Geer (In-Q-Tel)

Rand Waltzman (Darpa)

(and more to come)

Please support this event with your attendance and with word of mouth. The topic - Shaping a Revolution in Security Affairs - is vitally important as the recent capture of a Top Secret RQ-170 Stealth Sentinel drone so dramatically illustrates. Everyone from the Director of the NSA on down knows that the present system is broken (with the exception of the RSA's of the world). This is your opportunity to be a part of discovering a more effective model.

Friday, December 9, 2011

Courtesy of Recorded Future: https://www.recordedfuture.com/rf/s/2z0Cm4

The loss of the RQ-170 Stealth Sentinel drone to Iran is potentially one of the most critical events that has occurred in 2011 because it implies an offensive electronic warfare or cyber capability that no one expected Iran to have. Now that Iran has released a video of the captured drone and the U.S. government has confirmed that it's authentic, it's clear that the original FARS report claiming that it was captured via electronic means may have been accurate in spite of unanimous Western media reports to the contrary; i.e., that it was shot down.

EMEA's strategic intelligence report on the RQ-170 says that the Stealth Sentinel is a high altitude and long endurance unmanned aerial vehicle (UAV) designed and manufactured by Skunk Works, a division of Lockheed Martin Corporation, for the United States Air Force (USAF). According to EMEA:

The UAV can capture real time imagery of the battlefield and transfer the data to the ground control station (GCS) through a line of sight (LOS) communication data link. The 27.43m wide and 1.82m high aerial vehicle was designed to execute intelligence, surveillance, reconnaissance and target acquisition (ISTAR) and electronic warfare missions over a target area.

According to Earl Lum, President of EJL Wireless Research LLC what is supposed to happen when an Unmanned Aerial Vehicle (UAV) like the RQ-170 loses its comms link is that it should autonomously follow a pre-programmed lost-link profile consisting of waypoints at various altitudes, forming a loop until it re-establishes contact or crashes. The communication link for the UAVs is typically today LOS (line of sight). If it falls below the mountains and loses LOS, it is supposed to then go through this process. However while this applies to UAVs in general it may not be the case with the RQ-170.

Navigation technology
According to the EMEA report, the RQ-170 can be controlled either manually from the GCS or through autonomous mode. An automatic launch and recovery (ALR) system facilitates the aircraft to land safely when communication with the control station fails.

Ground control station
The GCS of the RQ-170 displays the real time imagery or videos captured by the vehicle's payload cameras onboard. The data supplied by the vehicle is retrieved, processed, stored and monitored at the control station which was designed and built by Skunk Works. The GCS tracks, controls and monitors the RQ-170 by transferring commands to the vehicle via LOS SATCOM data link. The sentinel is being operated by 432nd wing of air combat command (ACC) at Creech Air Force Base, Nevada, and 30th reconnaissance squadron at Tonopah Test Range, Nevada.

Related cyber incidents that may have compromised the RQ-170:
- A South Korean newspaper, JoongAng Daily, reported in December 2009 that the RQ-170 was flight tested in South Korea to supersede the U-2 aircraft at Osan Air Base for carrying out missions over North Korea. North Korea is an ally of Iran and has conducted offensive CNE (Computer Network Exploitation) and CNA (Computer Network Attack) missions against South Korea repeatedly for several years. It's unknown what information has been stolen however this type of intelligence is highly sought after and its reasonable to assume that the DPRK would include it on a CNE acquisitions list.
- Lockheed Martin reported a cyber attack in June, 2011 that lasted about one week. LM didn't report what was taken however as with the DPRK example, UAV research has been targeted at U.S. defense firms as late as this past summer according to my own confidential sources.
- Creech Air Force Base experienced a malware infection that impacted its UAV Ground Control Stations in October 2011. It's public report on the incident was confusedly written and lacked details regarding the malware involved, its propagation and its remediation.

Summary
The objective of this article is to assess possibilities. Based on EMEA's report on the RQ-170, it appears that the drone had the ability to land itself without operator control. I'd appreciate hearing from any experts who can confirm whether that's the case or not. If it is, then Iran may have lucked out. If it isn't, then Iran's claim that it used its electronic warfare capacity to assume operational control of this substantial U.S. military asset appears to be true. Considering how easy it is for an adversary to conduct CNE against targeted U.S. networks, this is probably a capability that they obtained from one of many mercenary hacker crews who engage in that type of activity. While the scope of this article is hypothetical, the CNE targeting of UAV R&D is a fact born out by my own company's work in this area. Iran may or may not have that capability now but eventually it will. The RQ-170 event should be a massive wake-up call on the part of the U.S. Air Force to reinstall a self-destruct capability, harden the RQ-170's operating system, and examine potential vulnerabilities in its UAV fleet supply chain.

The most frightening prospect raised by what appears to be a largely intact Sentinel is that the Iranians' second claim about how they brought it down -- by hacking into its controls and landing it themselves -- might be true, said a U.S. intelligence official, who spoke only on the basis of anonymity because the RQ-170 is part of a Secret Compartmented Intelligence (SCI) program, a classification higher than Top Secret.
The official said the possibility that the Iranians or someone else hacked into the drone's satellite communications is doubly alarming because it would mean that Iranian or other cyber-warfare officers were able to disable the Sentinel's automatic self-destruct, holding pattern and return-to-base mechanisms. Those are intended to prevent the plane's secret flight control, optical, radar, surveillance and communications technology from falling into the wrong hands if its controllers at Creech Lake Air Force Base or the Tonopah Test Range, both in Nevada, lose contact with it.

UPDATE (1708 PST 22DEC11):Cryptome has an interesting thread on the use of the RSA cyber to protect the GPS Red band used on military systems like the RQ-170. This suggests that data from the RSA breach last March may have been shared with the Iranians.

UPDATE (0715 PST 05JAN12): AviationWeek has an excellent technical article on the F-22 technology used on the RQ-170.

Wednesday, December 7, 2011

Time magazine recently ran a story about how George Clooney and John Predergast of the Enough Project decided to raise money to set up a private satellite spy network to focus on the atrocities being committed in Sudan. The program has been so successful that the International Criminal Court is bringing charges against a Sudanese government official. This is an example of the kind of disruptive thinking that Suits and Spooks 2012 in Washington DC is looking for. Fortunately, Jonathan Huston, the Communications director of Enough has agreed to speak about how the project works. He's given similar talks to the U.S. Geospatial Intelligence Foundation.

Suits and Spooks 2012 isn't a passive conference. Both attendees and speakers will be interacting the entire day to produce innovative and disruptive ideas that relate to creating a new security framework to address the new and rapidly expanding threat landscape created as the physical and virtual worlds continue to become interwoven with each other. The ideas of both speakers and attendees will be captured in real-time in a Palantir workspace with live analysis being done and projected onto a screen behind the speakers. A final report will be released summarizing the day's findings.

You can be a part of this revolutionary experience by registering today. We offer a special rate for students and academics as well as government employees, and an early bird discount will run for everyone until January 6, 2012.

Tuesday, December 6, 2011

On December 4th, the Iranian FARS news agency announced that the electronic warfare group of the Iranian military took over the operations of a very sophisticated, un-manned RQ170 Stealth Sentinel drone along the border between Afghanistan and Iran. NATO acknowledged that operators lost control of a drone in that area one week ago but that doesn’t necessarily mean that Iran was responsible. Iran has lied about drone captures before and they may be lying this time, but there are at least four good reasons why they may have succeeded.

Through my company’s work in this area, I know that Un-manned Aerial Vehicle (UAV) technology is actively being targeted and acquired via acts of cyber-espionage. This includes research in the Narrowband spectrum which is how UAVs receive their commands.

It’s not enough to know that Narrowband technology is used. An adversary would need to know the specific frequency in order to assume control of the vehicle. That obstacle may have been solved in October with the discovery of “credential-stealing” malware infecting the Ground Control Stations at Creech AFB. If the UAV operators (or pilots) entered the narrowband frequencies used to control their drones on a keyboard, and that keyboard was infected with a keylogger, that information would be captured and delivered to a command and control server and then collected by whomever was responsible for the attack.

The RQ170 Stealth Sentinel along with the Reaper and Predator drones are all operated by pilots manning ground control stations at Creech AFB. The Air Force has not been forthcoming with details of the malware attack nor its remediation and the information that it has provided has been vague and misleading.

Thanks to Stuxnet, Iran is spending a lot of money to ramp up its cyber warfare capabilities, and it's highly motivated to obtain some "get-back" against the U.S. since it believes that the U.S. and possibly Israel are responsible for the Stuxnet attack.

No one will know for sure if Iran successfully launched a cyber attack against “The Beast of Kandahar” (as the RQ170 is called) unless Iran presents proof, but its intent to do so is real; the theft of related technology is real; the lapse in cyber-security at Creech AFB was very real and the Air Force would be well-advised to take this threat seriously and re-evaluate the vulnerabilities that exist today in its UAV fleet.

Sunday, December 4, 2011

The Washington Post has reported that Iran's cyber warfare unit took over the controls of a Lockheed Martin RQ-170 Sentinel stealth drone flying over Eastern Iran and landed it with minimal damage. As of this writing, the U.S. Air Force hasn't yet confirmed or denied the attack. I've left a message with the on-call PA officer at Creech Air Force Base, which is the home of the 432d Wing which flies RQ-170 Sentinels according to this factsheet.

Creech Air Force Base, as you may recall, suffered a malware infection of its Reaper and Predator Ground Control Stations last October. After Noah Shachtman broke the story, the Air Force issued a press release claiming that the malware was a simple "credential stealer" and not a "keylogger", which is a distinction without a difference as I pointed out here. Approximately one and a half months after the Air Force issued that statement, Iran claims to have successfully compromised the flying operations of one of its drones - possibly flown out of the same Air Force base.

Iran's Cyber Warfare Capabilities

Note: The following assessment comes from chapter 16 of the 2nd edition of Inside Cyber Warfare, due out this month:

In 2010 the Iranian Islamic Revolution Guards Corps (IRGC) set up its first official cyber warfare division.Since then, its budget and focus has indicated the intention of growing these cyber warfare capabilities. Education is considered a top priority in the strategy, with increased attention to computer engineering-specific cyber security programs. The IRGC budget on cyber capabilities is estimated to be US$76 million. The IRGC’s cyber warfare capabilities are believed to include the following weapons: compromised counterfeit computer software,wireless data communications jammers, computer viruses and worms, cyber data collection exploitation, computer and network reconnaissance, and embedded Trojan time bombs.The cyber personnel force is estimated to be 2,400, with an additional 1,200 in reserves or at the militia level. In June 2011 Iran announced that the Khatam al-Anbiya Base, which is tasked with protecting Iranian cyberspace, is now capable to counter any cyber attack from abroad, a claim that will likely be tested soon given the volatile nature of cyberspace. In August 2011 Iran challenged the United States and Israel, stating that they are ready to prove themselves with their cyber warfare capabilities. Should the Iranian cyber army be provoked, Iran would combat these operations with their own “very strong” defensive capabilities.

In my opinion, the U.S. Air Force needs to respond to this claim by the Iranians quickly and authoritatively because its lackluster conduct regarding the initial infection found at Creech makes this claim by Iran more believable, not less.

UPDATE (1121 04DEC11):CNN quotes a U.S. official confirming that an operator lost flight control of an RQ-170 Sentinel over Western Afghanistan (which borders Eastern Iran).

UPDATE (1807 04DEC11): Western sources are reporting that the RQ-170 drone was shot down however FARS quoted an Iranian military official saying that it was taken down via electronic means "with electronic war units" and with minimal damage which makes this a cyber attack. The Al-Jazeera story is here.

Wednesday, November 30, 2011

2011 was the year that our perceived security was stripped away. EMC’s RSA division was breached and soon afterward so were some of its customers. The world’s largest anti-virus companies have been taken to task for selling snake oil (also known as anti-virus) to gullible CEOs. Local police departments were unable to protect their own officers’ personal and confidential information. The FBI’s Infraguard program was repeatedly hacked. And the directors of DARPA and NSA have recently both agreed that after many years of trying they’ve failed to come up with a security model that works.

We’ll be entering 2012 more vulnerable than ever before because at least part of our security relied upon the perception by bad guys that those charged with our security, both public and private, could do the job. Well, that myth has been busted which gives rise to opportunity. Conversely, over 28 nations and counting are developing offensive cyber capabilities, and the really malicious actors of the world like drug cartels and extremist groups (both domestic and foreign) are rapidly learning what’s possible vis-a-vie attacks through cyberspace. In other words, those with the means to act are growing quickly.

Finally, the anger and frustration of the expanding Occupy movement combined with the onset of hate-fueled politics that accompanies a Presidential election year - especially against this President - will engender widespread motivation for people to take action. With means, motive, and opportunity solidly represented, I fully expect 2012 to produce one or more multi-modal cyber attacks against a U.S. target which will result in serious harm if not loss of life. By multi-modal, I mean an offensive operation where a cyber attack represents one component. Once there's blood in the water, you can expect more of the same to quickly follow.

The very worst part of this prediction is that its inevitable. CEOs typically refuse to act to protect their own companies if it cuts into profit. The U.S. government has refused to do what’s necessary to protect our nation’s critical infrastructure because it's 90% privately owned, and our laws and system of government has enabled this massive malfeasance so that everyone responsible can claim absence of malice. In the words of Upton Sinclair and the movie based upon his book Oil! - "there will be blood". It's just a matter of time.

Tuesday, November 29, 2011

The largest Cloud providers today are Google, Microsoft, and Amazon; each offering multiple services and platforms for their respective customers. For example, Microsoft Azure, Google Apps, and Amazon EC2 are all hosting and development platforms. Google Docs, Acrobat.com, and Microsoft Office 365 all provide basic word processing, spreadsheets and other applications for individuals to use via the Web instead of on their individual desktop. Then of course there’s social networks, online gaming, video and music sharing services - all rely on a hosted environment that can accommodate millions of users interacting from anywhere on Earth yet all connected somewhere in cyberspace. While the benefits are many, both to individuals and to corporations, there are three distinct disadvantages from an individual and national security perspective:

The cloud provider is not responsible for securing its customers’ data

Attacking a cloud-based service provides an economy of scale to the attacker

Mining the Cloud provides a treasure trove of information for domestic and foreign intelligence services.

No Security Provisions

A Ponemon Institute [1] study on Cloud Security revealed that 69% of Cloud users surveyed said that the providers are responsible, and the providers seemed to agree, however, when you review the terms of service for the world’s largest cloud providers, responsibility for a breach of customer data lies exclusively with the customer. For example:

From Amazon [2]: “Amazon has no liability for .... (D) any unauthorized access to, alteration of, or the deletion, destruction, damage, loss or failure to store any of your content or other data.”

From Google [3]: “Customer will indemnify, defend, and hold harmless Google from and against all liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third party claim: (i) regarding Customer Data...”

From Microsoft [4]:“Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password.”

Not only do none of the three top cloud providers assume any responsibility for data security, Microsoft goes one step further and places a legal burden upon its customers that it refuses to accept for itself.

An Economy of Scale

NASDAQ’s Directors Desk is an electronic boardroom cloud service which stores critical information for over 10,000 board members of several hundred Fortune 500 corporations. In February, 2011 [5], an un-named federal official revealed to the Wall Street Journal’s Devlin Barrett that the system had been breached for more than a year. It’s unknown how much information was compromised as well as how or when it will be used. From an adversary’s perspective, this type of breach offers an economy of scale has never been seen before. In the past, several hundred Fortune 500 companies would have to be attacked, one company at a time, which costs the adversary time and money not to mention risk. Now one attack can yield the same amount of valuable data with a significant reduction in resources expended as well as risk of exposure.

An Open Source Intelligence Goldmine

China’s national champion firm Huawei is moving from selling telecommunications network equipment towards developing Infrastructure-as-a-Service software (the Cloud stack) needed to provide a highly scalable public cloud like Microsoft's Azure or Amazon's EC2. If it sells IaaS with the same strategy that it uses in selling routers and switches, Amazon, Google, and Microsoft can expect to begin losing a lot of enterprise business to Huawei who will cut pricing by 15% or more against its nearest competitor. Cloud customers can expect their data to reside in giant state-of-the-art server farms located in Beijing’s “Cloud Valley”; a dedicated 7800 square meter industrial area which is home to ten companies focusing on various aspects of Cloud technology such as distributed data centers, cloud servers, thin terminals, cloud storage, cloud operating systems, intelligent knowledge bases, data mining systems, and cloud system integration.

Cloud computing has been designated a strategic technology by the Peoples Republic of China’s State Council in its 12th Five Year plan and placed under the control of the Ministry of Industry and Information Technology (MIIT). MIIT will be funding research and development for SaaS (Software as a Service), PaaS (Platform as a Service), and IaaS (Infrastructure as a Service) models as well as virtualization technology, distributed storage technology, massive data management technology, and other unidentified core technologies. Orient Securities LLC has predicted that by 2015, cloud computing in China will be a 1 trillion yuan market.

According to the US-China Council website [6], MIIT was created in 2008 and absorbed some functions from other departments including COSTIND (Commission of Science, Technology, and Industry for National Defense):

“From COSTIND, MIIT will inherit functions relating to the management of the defense industry, with a scope that covers the national defense department, the China National Space Administration, and certain administrative responsibilities of other major defense-oriented state companies such as the China North Industries Co. and China State Shipbuilding Corp. MIIT will also control weapons research and production in both military establishments and dual-role corporations, as well as R&D and production relating to "defense conversion"--the conversion of military facilities to non-military use.”

Clearly, the PRC has made a serious commitment to Cloud Computing for the long term. This doesn't portend well for today's private cloud service providers like NetApp or public cloud providers like Amazon, Google, and Microsoft; especially if buying decisions are made on price.

In Summary

The move to the Cloud is both inevitable and filled with risk for high value government employees, corporate executives, and companies engaged in key market sectors like energy, banking, defense, nanotechnology, advanced aircraft design, and mobile wireless communications, among others. To make matters more complicated, cloud providers may move data to different server farms around the world rather than keep it in the same country as the corporation or individual which owns it. That could potentially put the customer’s data at risk for being compromised legally under foreign laws which would apply to the host company doing business there. For example, Microsoft UK’s managing director Gordon Frazier was recently asked at the Office 365 launch: “Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances - even under a request by the Patriot Act?” Frazier replied: “Microsoft cannot provide those guarantees. Neither can any other company.”

The best advice for individuals and companies at this time is to insist that cloud providers build a measurably secure infrastructure while providing legal guarantees and without the use of foreign data farms. Until that occurs, and it's highly unlikely to happen without strong consumer pressure, there are significant and escalating risks in hosting valuable data with any cloud provider.

Monday, November 28, 2011

I'm pleased and excited to announce an open registration policy for our next Suits and Spooks conference scheduled for February 8th, 2012. It'll be held at the beautiful Waterview Conference Center in Rosslyn, VA and registration will be limited to no more than 100 persons. Breakfast, lunch and a cocktail reception afterwards is included.

The Challenge: Shaping a Revolution in Security Affairs.
The complexity of today's computing environment has surpassed anything that the world has seen before. The amount of data generated globally is 72 Gigabytes per person on earth according to a 2011 EMC report. Past models for securing that data have had marginal to zero effectiveness. The U.S. government has produced multiple cybersecurity initiatives over the years which lay out many hard challenges along with recommendations for R&D. Suits and Spooks II will explore new thinking on how to re-shape an information security framework based upon the revolutionary work of individuals across a wide swath of disciplines including medicine, finance, entertainment, and technology. This transdisiplinary approach will include a visual scribe and real-time link analysis projected onto a split-screen behind the speakers. At the end of the day, we'll produce a report on our findings and distribute to the relevant agencies.

This second event is going to be different from our first Suits and Spooks conference in two very important way:

Open Admission. The first event was by invitation only because we were creating offensive and defensive strategies using social media as an attack platform. For obvious reasons, we felt it necessary to control admission. This event is focused on problem-solving using a multi-disciplinary approach (also known as Transdisplinarity) hence an invitation-only event would be too limiting. If you have an idea about how to build a better security framework, we want you to attend however we can only accomodate 100 of you.

Audience Participation. We call these events an anti-conference because we aren't interested in packing seats to listen to lectures, nor are we interested in introducing customers to vendors. We involve the attendees directly in accomplishing the objective of the event. In this case, we'll be performing live link analysis using a mind-mapping application (we haven't selected one yet) on a screen behind the speakers. This will be done simultaneously with the speaker's presentations. Attendees will be able to send SMS messages or use a white board to communicate their insights into how any given speaker's presentation may connect to another speaker's presentation on a different topic or to the challenge that we're addressing. An operator will transfer those insights and connections to the application and build linking diagrams in real time.

We have some great speakers lined up, and I'll be featuring several of them in follow up posts this week. For starters, there's Christopher Burgess, Daniel Geer and Janina Gavankar:

Christopher Burgess. Christopher serves as the Chief Security Officer and President Public Sector for Atigeo, LLC a compassionate technology company. He most recently served as the senior security advisor to the CSO of Cisco where he led the Global Threat Analysis, Global Investigative Support, Government Security Office and Litigation Support teams. Prior to joining Cisco, he served from more than 30 years as a career intelligence officer within the Central Intelligence Agency. Christopher was awarded the Distinguished Career Intelligence Medal by the CIA in recognition of his sustained significant accomplishments in the national security arena. He sits on a number of advisory boards, including Mayo Clinic’s Social Media advisory board, and Rune Information Security. Burgess is also a sough after speaker and writer, providing thought leadership on the topics of intellectual property protection, security stratagem, online safety & privacy, social media, security education and awareness, intelligence, counterintelligence, protecting against corporate/industrial espionage and global geopolitical/economic affairs. Additionally, he is the co-author of “Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21stCentury”.

Daniel E. Geer, Sc.D. Dr. Geer has 10 years in clinical and research medical computing followed by five years running MIT's Project Athena, the first distributed computing emplacement. After a series of entrepreneurial endeavors either as a founder or an officer of the company, he's now in government service at In-Q-Tel, the investment arm of the US intelligence community. Dr. Geer's milestones include: The X Window System and Kerberos (1988), the first information security consulting firm on Wall Street (1992), convenor of the first academic conference on electronic commerce (1995), the "Risk Management is Where the Money Is" speech that changed the focus of security (1998), the Presidency of USENIX Association (2000), the first call for the eclipse of authentication by accountability (2002), principal author of and spokesman for "Cyberinsecurity: The Cost of Monopoly" (2003), co-founder of SecurityMetrics.Org (2004), convener of MetriCon (2006-present), author of "Economics & Strategies of Data Security" (2008), and author of "Cybersecurity & National Policy" (2010). Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2011). His participation in government advisory roles include the Federal Trade Commission, the Departments of Justice and Treasury, the National Academy of Sciences, the National Science Foundation, the US Secret Service, the Department of Homeland Security, and the Commonwealth of Massachusetts.

Janina Gavankar.Janina is an actress (HBO's True Blood) and a social media developer. I invited her to speak at Suits and Spooks after reading this Forbes article about how she found an innovative way to solve a problem that she and many of her fellow actors struggled with and that existing platforms like IMDB didn't solve. She kindly agreed to take time out of her HBO shooting schedule to make the trip to DC and share details about the problem set and her innovative approach to solving it. Understanding how individuals are tackling and solving hard problems outside of the information security industry and whether we can gain insights from that to apply to InfoSec will be a key component of our February event.

More speakers will be announced this week. I can promise you that Suits and Spooks 2 will be unlike any conference that you've ever attended. We anticipate a lot of interest in attending this event so I recommend that you take advantage of the early bird discount and register today. A free signed copy of the second edition of my book (due out in January 2012) will be included for all attendees.

According to NPR, Rep. Mike Rogers thinks that a piece of legislation is going to help stem the tide of IP theft on the part of foreign states like China. Rep. Rogers deserves credit for recognizing the problem and trying to do something about it, however the solution that he's considering - "naming and shaming" - not only won't work but completely misses the real problem.

The heart of the matter is not that foreign states are stealing U.S. intellectual property. Espionage is the 3rd oldest profession and our reliance upon cyber-space-time has made it easier than ever for agents around the world to not only take what they want but make it look like others are the culprits. The solution doesn't lie in deterrence because deterrence is a laughable concept among sophisticated attackers. While its natural to want to stop the "bad guys" from stealing what is yours, it's also naive to believe that you can do it. You can't stop bad guys from coming in, but you can stop your data from leaving. That's the key to ending China and Russia's relatively free access to U.S. technological secrets.

Don't threaten them. Don't pretend that you can deter them. Don't imagine that you even know which one of them is doing the attacking at any given time. Instead, Rep. Rogers should write legislation that requires U.S. companies to inventory their critical data so that they know where on their network it resides, then implement a set of security controls that monitors the behavior of authorized users and locks that data down when certain norms are violated. The hard truth of the matter is that most companies today don't have a clue about where on their network their critical data resides because they've bought into the old school security model of trying to stop attacks at the perimeter of their network. Until that changes, Rep. Rogers and others like him will just waste more taxpayer money and perpetuate the illusion that the problem is somewhere "out there" and can be stopped with U.S. muscle.

Sunday, November 27, 2011

Recent implementation of amendments to Russian Law make the Russian Internet (Runet) more opaque to anyone other than the Russian security services. For example, below is the domain registration for a Russian IT company as listed on November 2, 2011. The registrar—Reg.Ru—is a Russian registrar located in Moscow:

domain:SAYTECH.RU

nserver:ns1.reg.ru.

nserver:ns2.reg.ru.

state:REGISTERED, DELEGATED, UNVERIFIED

org:Saitek, LLC

phone:+7 495 9843552

e-mail:villaine@mail.ru

registrar:REGRU-REG-RIPN

created:2011.05.25

paid-till:2012.05.25

source:TCI

As amended, however, Russian Federal Law FZ-152 On Personal Data now prohibits the release of personal data to any foreign entity by a Russian business operator. Personal data includes phone numbers and email addresses. As a result, the same domain registration now appears as below:

domainSAYTECH.RU

nserver:ns1.reg.ru.

nserver:ns2.reg.ru.

state:REGISTERED, DELEGATED, UNVERIFIED

org:Saitek, LLC

registrar:REGRU-REG-RIPN

admin-contact:http://www.reg.ru/whois/admin_contact

created:2011.05.25

paid-till:2012.05.25

free-date:2012.06.25

source:TCI

Note that the email address and telephone number no longer appear. Instead, anyone desiring contact information for Saitek, LLC must use the Reg.Ru whois administrative service. Using the whois service returns the form below. As you can see, the requestor must provide their email address and the information desired. However, under Federal Law FZ-152, the domain administrator will simply refuse to provide the information except under a very limited set of circumstances. Nevertheless, they will know who is interested and what they want.

The information is available since Federal Law FZ-152 now requires an internal passport for domain registration from a Russian registrar. Federal Law FZ-149 On Information, Information Technologies and Data Protection requires the operator to provide that information to investigators from the Russian security services. As a result, if the Federal Security Service (FSB) wants to know who registered the site posting information criticizing the government (usually referred to as exciting violence or extremism), no problem. However, if a US system administrator wants to contact someone about the problems originating from a Russian registered domain, tough luck.

Tuesday, November 22, 2011

I just received the following update on the alleged Illinois Water Company attack that was released to the media by Joe Weiss. It appears to be a case of jumping too quickly to a conclusion with little to no corroborating evidence. I have an article coming out today for Slate on this issue but here's the ICS-CERT/FBI UPDATE in full:

After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.

There is no evidence to support claims made in the initial Fusion Center report - which was based on raw, unconfirmed data and subsequently leaked to the media - that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant. In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as previously reported.

Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.

Monday, November 21, 2011

The House Permanent Select Committee on Intelligence recently announced that it would be conducting an investigation into whether the expansion of Chinese telecommunications companies Huawei and ZTE into the U.S. represents a threat to national security. I'm in favor of the investigation and in my opinion, one of the things that the Committee should investigate is the Huawei Symantec (HS) joint venture and its "Wingmen"; i.e., U.S. companies that have signed up as partners to sell Huawei Symantec products to the U.S. government and associated entities. Symantec has recently announced that it's selling its 49% share of the joint venture to Huawei however that raises the question of who will be servicing those accounts. It seems to me that it'll be Huawei by default. At least two of those wingmen are Dell's Force 10 Networks and MPak Technologies who recently won a contract with the University of Tennessee SimCenter which, in turn, caused several U.S. Senators to ask the Departments of Energy and Defense to investigate the reasons for the sale.

MPak Technologies Founder and President Mike Kornblum has openly said that "the performance of the Huawei Symantec hardware combined with Symantec software helped Mpak win deals with the U.S. government and a large contract at the University of Tennessee SimCenter: National Center for Computational Engineering." Personally, I'd love to know who in the U.S. government has paid Mpak for equipment made by Huawei and sold by Huawei Symantec through its U.S. partner MPak Technologies. The same with Force 10 Networks and HS other "wingmen". The House Intelligence committee should as well.

Tuesday, November 15, 2011

One of the biggest security issues with cloud computing is the location of data centers in high risk countries like Russia, China, India, Brazil, etc. If the country has laws which allow their security services to demand access to the foreign-owned data center, you've got a problem. If the country's own ICT infrastructure is "pwned", you've got a problem. Unlike other large cloud providers, Google made a smart move by building its data center in Finland, just a few hours away from the Russian Federation. My company regularly provides due diligence research on foreign supply chains and state security issues and here's a brief summary of our analysis on Google Russia.

Summary
OOO Google (Общество с ограниченной ответственностью Гугл) is Google’s Russian subsidiary. Google’s activity is Russia is consistent with a desire to expand the Russian market and exploit Russia’s reservoir of IT professionals while minimizing Google’s vulnerability to the Russian government. OOO Google employees listed on Russian social networking sites are usually graduates of Russia’s elite universities. Google’s largest capital investment pertinent to the Russian market, however, is an approximately $500 million datacenter in Finland. The datacenter enjoys excellent communication links with Russia enabling Google to service and support expanding Russian activity without giving the Russian government leverage over Google. In sum, Google is approaching the Russian market with its eyes open.

OOO Google

According to Google.ru, all sales and engineering activity are conducted from the Moscow and St. Petersburg offices. However, press and Google.com cover the opening of a major new datacenter in Finland (appendix for articles) in 2011. The capital cost of the land and building are listed as $260 million before the installation of servers. Similar Google datacenters are listed as approximately $500 million when complete. Google uses an innovative design with servers located in standardized containers enabling rapid construction and easy expansion by adding additional containers. Google servers run on Linux. Russia is particularly strong in Linux developers since it is the Russian government’s preferred operating system.

The new datacenter enjoys excellent communications with Russia. However, Russian press frequently contains accusations of Google colluding with foreign intelligence services against Russia. As a result, Google is probably wise to locate the new facility outside Russia to prevent the Russian government using the facility as a hostage.

Google Vulnerabilities in Russia
Google’s primary vulnerability at this point is probably penetration by Russian intelligence services through a recruited asset. Placing the new datacenter is Finland shows Google is sensitive to the baggage that comes with making a significant capital investment in Russia. However, Russian press shows Russia’s intelligence services view Google as a threat. As a result, penetrating Google’s Russia activities would be a priority. Indeed, the Google circle on moikrug.ru shows five employees with previous experience at Luxoft, a Russian software firm with excellent Federal Security Service connections.